[Samba] W2k joining a domain controlled by samba 3.0.2a (PDC)
Rafal Pietrak
rafal at zorro.isa-geek.com
Tue May 11 12:18:17 GMT 2004
On Tue, 11 May 2004, Buchan Milne wrote:
> On Tue, 11 May 2004, Rafal Pietrak wrote:
>> Hi all,
....
>> ->(lower-box/I-select)Domain=WORKGROUP"; I'm asked then for a domain
>> administrator login and password. So, the questions are:
>> (I) Who is this?
>
> It needs to be someone who can create accounts via your 'add user' etc
> scripts.
Should that be anough?
What could have been the problem when I manually created machine account
on my samba? Could "smbpasswd -a -m <host>" have created wrong password
for the new machine?
>> But, I also tried to add the workstation account directly at samba
>> BEFORE
>> I try to execute the above at the workstation itself. The result is:
>> example$ getent passwd WYDAWNIC-LDC0LG\$
>> **pass*> WYDAWNIC-LDC0LG$:x:60000:65534:Komputer \
>> WYDAWNIC-LDC0LG:/home/hosts:
>> to no avail - the W2K still gets decline from samba.
>>
>> Any clue what's wrong here?
>
> Samba needs to be able to change the workstations trust account password
Yup. I hope I can figure out where exactly does it fail ...
In the logs I've included in my initial e-mail, there where fragments (my
pick of actual fragments were 'blind' - I don't really know what happens
there) which surround a DECLINE within samba - a decline on credencial
validation. The whole session have two such DECLINE events, of those (here
I include only the 'declines', now). Those DECLINEs look like declines
*before* anything like "add user" script get concedered.
In particular, the second instance look like internal samba validation
(not failure of "add user" script) was the reason of the decline.
Any comment?
thenx,
-R
------------------logfile----------------
[2004/05/10 22:35:43, 10] lib/util_seaccess.c:se_access_check(234)
se_access_check: requested access 0x00000211, for NT token with 6
entries and first sid S-1-5-21-3658755377-320826499-3197562212-1081.
[2004/05/10 22:35:43, 3] lib/util_seaccess.c:se_access_check(251)
[2004/05/10 22:35:43, 3] lib/util_seaccess.c:se_access_check(252)
se_access_check: user sid is S-1-5-21-3658755377-320826499-3197562212-1081
se_access_check: also S-1-5-21-3658755377-320826499-3197562212-512
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-5-21-3658755377-320826499-3197562212-513
se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask =
20385, current desired = 211
se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask =
f07ff, current desired = 10
se_access_check: ACE 2: type 0, flags = 0x00, SID = S-1-5-32-548 mask =
f07ff, current desired = 10
[2004/05/10 22:35:43, 5] lib/util_seaccess.c:se_access_check(315)
se_access_check: access (211) denied.
[2004/05/10 22:35:43, 2]
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
_samr_open_domain: ACCESS DENIED (requested: 0x00000211)
[2004/05/10 22:35:43, 5] rpc_parse/parse_prs.c:prs_debug(82)
000000 samr_io_r_open_domain
====================================================
[2004/05/10 22:35:43, 5] rpc_parse/parse_prs.c:dbg_rw_punival(807)
0028 buffer : W.Y.D.A.W.N.I.C.-.L.D.C.0.L.G.$.
[2004/05/10 22:35:43, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0048 acb_info : 00000080
[2004/05/10 22:35:43, 5] rpc_parse/parse_prs.c:prs_uint32(635)
004c access_mask: e00500b0
[2004/05/10 22:35:43, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 9F E7 9F
40 ........ .......@
[010] 0A 6C 00 00 .l..
[2004/05/10 22:35:43, 5]
rpc_server/srv_samr_nt.c:access_check_samr_function(106)
_samr_create_user: access check ((granted: 0x00000201; required:
0x00000010)
[2004/05/10 22:35:43, 2]
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
_samr_create_user: ACCESS DENIED (granted: 0x00000201; required:
0x00000010)
[2004/05/10 22:35:43, 5] rpc_parse/parse_prs.c:prs_debug(82)
000000 samr_io_r_create_user
========================================================
More information about the samba
mailing list